Results 1  10
of
28
Security Bounds for the Design of CodeBased Cryptosystems
, 2009
"... Codebased cryptography is often viewed as an interesting “PostQuantum” alternative to the classical number theory cryptography. Unlike many other such alternatives, it has the convenient advantage of having only a few, well identified, attack algorithms. However, improvements to these algorithms h ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
Codebased cryptography is often viewed as an interesting “PostQuantum” alternative to the classical number theory cryptography. Unlike many other such alternatives, it has the convenient advantage of having only a few, well identified, attack algorithms. However, improvements to these algorithms have made their effective complexity quite complex to compute. We give here some lower bounds on the work factor of idealized versions of these algorithms, taking into account all possible tweaks which could improve their practical complexity. The aim of this article is to help designers select durably secure parameters.
Cryptanalysis of GRINDAHL
"... Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an ef ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Due to recent breakthroughs in hash functions cryptanalysis, some new hash schemes have been proposed. GRINDAHL is a novel hash function, designed by Knudsen, Rechberger and Thomsen and published at FSE 2007. It has the particularity that it follows the RIJNDAEL design strategy, with an efficiency comparable to SHA256. This paper provides the first cryptanalytic work on this new scheme. We show that the 256bit version of GRINDAHL is not collision resistant. With a work effort of approximatively 2 112 hash computations, one can generate a collision. Key words: GRINDAHL, hash functions, RIJNDAEL. 1
Linearization attacks against syndrome based hashes. Cryptology ePrint Archive, Report 2007/295
, 2007
"... Abstract. In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, afamily of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard averagecase complexity. Inthe ECRYPT 2007 Hash Function Workshop, new versions with essentially the same ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. In MyCrypt 2005, Augot, Finiasz, and Sendrier proposed FSB, afamily of cryptographic hash functions. The security claim of the FSB hashes is based on a coding theory problem with hard averagecase complexity. Inthe ECRYPT 2007 Hash Function Workshop, new versions with essentially the same compression function but radically different security parameters andan additional final transformation were presented. We show that hardness of averagecase complexity of the underlying problem is irrelevant in collisionsearch by presenting a linearization method that can be used to produce collisions in a matter of seconds on a desktop PC for the variant of FSB with claimed 2128security.
On building hash functions from multivariate quadratic equations
 of Lecture Notes in Computer Science
, 2007
"... Abstract. Recent advances in hash functions cryptanalysis provide a strong impetus to explore new designs. This paper describes a new hash function mqhash that depends for its security on the difficulty of solving randomly drawn systems of multivariate equations over a finite field. While provably ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recent advances in hash functions cryptanalysis provide a strong impetus to explore new designs. This paper describes a new hash function mqhash that depends for its security on the difficulty of solving randomly drawn systems of multivariate equations over a finite field. While provably achieving preimage resistance for a hash function based on multivariate equations is relatively easy, naïve constructions using multivariate equations are susceptible to collision attacks. In this paper, therefore, we describe a mechanism—also using multivariate quadratic polynomials—yielding the collisionfree property we seek while retaining provable preimage resistance. Therefore, mqhash offers an intriguing companion proposal to the provably collisionfree hash function vsh. 1
Really fast syndromebased hashing
 URL: http://eprint.iacr.org/2011/074. Citations in this document
, 2011
"... Abstract. The FSB (fast syndromebased) hash function was submitted to the SHA3 competition by Augot, Finiasz, Gaborit, Manuel, and Sendrier in 2008, after preliminary designs proposed in 2003, 2005, and 2007. Many FSB parameter choices were broken by Coron and Joux in 2004, Saarinen in 2007, and F ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The FSB (fast syndromebased) hash function was submitted to the SHA3 competition by Augot, Finiasz, Gaborit, Manuel, and Sendrier in 2008, after preliminary designs proposed in 2003, 2005, and 2007. Many FSB parameter choices were broken by Coron and Joux in 2004, Saarinen in 2007, and Fouque and Leurent in 2008, but the basic FSB idea appears to be secure, and the FSB submission remains unbroken. On the other hand, the FSB submission is also quite slow, and was not selected for the second round of the competition. This paper introduces RFSB, an enhancement to FSB. In particular, this paper introduces the RFSB509 compression function, RFSB with a particular set of parameters. RFSB509, like the FSB256 compression function, is designed to be used inside a 256bit collisionresistant hash function: all known attack strategies cost more than 2 128 to find collisions in RFSB509. However, RFSB509 is an order of magnitude faster than FSB256. On a single core of a Core 2 Quad Q9550 CPU, RFSB509 runs at 10.67 cycles/byte: faster than SHA256, faster than 7 of the 14 secondround SHA3 candidates, and faster than 3 of the 5 SHA3 finalists. Key words: compression functions, collision resistance, linearization, generalized birthday attacks, informationset decoding, tight reduction to L1 cache. 1
Analysis of Multivariate Hash Functions
"... Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We analyse the security of new hash functions whose compression function is explicitly defined as a sequence of multivariate equations. First we prove nonuniversality of certain proposals with sparse equations, and deduce trivial collisions holding with high probability. Then we introduce a method inspired from coding theory for solving underdefined systems with a low density of nonlinear monomials, and apply it to find collisions in certain functions. We also study the security of message authentication codes HMAC and NMAC built on multivariate hash functions, and demonstrate that families of lowdegree functions over GF(2) are neither pseudorandom nor unpredictable. 1
FSBday: Implementing Wagner’s generalized birthday attack against the SHA3 ⋆ round1 candidate FSB
"... Abstract. This paper applies generalized birthday attacks to the FSB compression function, and shows how to adapt the attacks so that they run in far less memory. In particular, this paper presents details of a parallel implementation attacking FSB48, a scaleddown version of FSB proposed by the FSB ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper applies generalized birthday attacks to the FSB compression function, and shows how to adapt the attacks so that they run in far less memory. In particular, this paper presents details of a parallel implementation attacking FSB48, a scaleddown version of FSB proposed by the FSB submitters. The implementation runs on a cluster of 8 PCs, each with only 8GB of RAM and 700GB of disk. This situation is very interesting for estimating the security of systems against distributed attacks using contributed offtheshelf PCs. Keywords: SHA3, Birthday, FSB – Wagner, not much Memory 1
Syndrome based collision resistant hashing
"... Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Hash functions are a hot topic at the moment in cryptography. Many proposals are going to be made for SHA3, and among them, some provably collision resistant hash functions might also be proposed. These do not really compete with “standard ” designs as they are usually much slower and not well suited for constrained environments. However, they present an interesting alternative when speed is not the main objective. As always when dealing with provable security, hard problems are involved, and the fast syndromebased cryptographic hash function proposed by Augot, Finiasz and Sendrier at Mycrypt 2005 relies on the problem of Syndrome Decoding, a well known “Post Quantum ” problem from coding theory. In this article we review the different variants and attacks against it so as to clearly point out which choices are secure and which are not.
Cryptanalysis of a Hash Function Based on QuasiCyclic Codes
"... Abstract. At the ECRYPT Hash Workshop 2007, Finiasz, Gaborit, and Sendrier proposed an improved version of a previous provably secure syndromebased hash function. The main innovation of the new design is the use of a quasicyclic code in order to have a shorter description and to lower the memory u ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. At the ECRYPT Hash Workshop 2007, Finiasz, Gaborit, and Sendrier proposed an improved version of a previous provably secure syndromebased hash function. The main innovation of the new design is the use of a quasicyclic code in order to have a shorter description and to lower the memory usage. In this paper, we look at the security implications of using a quasicyclic code. We show that this very rich structure can be used to build a highly efficient attack: with most parameters, our collision attack is faster than the compression function! Key words: hash function, provable security, cryptanalysis, quasicyclic code, syndrome decoding. 1
Faster 2regular informationset decoding
"... Abstract. Fix positive integers B and w. Let C be a linear code over F2 of length Bw. The 2regulardecoding problem is to find a nonzero codeword consisting of w lengthB blocks, each of which has Hamming weight 0 or 2. This problem appears in attacks on the FSB (fast syndromebased) hash function a ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Fix positive integers B and w. Let C be a linear code over F2 of length Bw. The 2regulardecoding problem is to find a nonzero codeword consisting of w lengthB blocks, each of which has Hamming weight 0 or 2. This problem appears in attacks on the FSB (fast syndromebased) hash function and related proposals. This problem differs from the usual informationsetdecoding problems in that (1) the target codeword is required to have a very regular structure and (2) the target weight can be rather high, so that there are many possible codewords of that weight. Augot, Finiasz, and Sendrier, in the paper that introduced FSB, presented a variant of informationset decoding tuned for 2regular decoding. This paper improves the Augot–Finiasz–Sendrier algorithm in a way that is analogous to Stern’s improvement upon basic informationset decoding. The resulting algorithm achieves an exponential speedup over the previous algorithm. Keywords: Informationset decoding, 2regular decoding, FSB, binary codes.